GSuite SSO
To enable SSO to GSuite using SAML, you will need to configure both GSuite and OpenIAM. The following section describes how to configure both.
Configure GSuite
To configure the GSuite side, login to the GSuite admin console at: https://admin.google.com/
- Open the
Securitysection as shown in the diagram below
- Open the section titled
Setup sigle sign-on (SSO) with a third party IdPas shown below.
- GSuite will present the form shown below to capture details about the IdP. Complete the form as shown below.
| Field Name | Description |
|---|---|
| Set up SSO with third-party Identity Provider | Enable this checkbox. This flag enables / disables integration with a third party IdP such as OpenIAM. |
| Sign-in page URL | URL to sign-in to OpenIAM. https://[your openiam instance]/idp/saml2/idp/login |
| Sign-out page URL | URL where users are redirected after they logout. https://[your openiam instance]/idp/saml2/idp/logout |
| Certificate file upload | Upload the certificate that you created here |
| Use a domain specific issuer | Enable this checkbox. This is especially important if you are integrated with multiple GSuite tenants. |
| Change password URL | URL to change password using the OpenIAM IdP. http://[your openiam instance]]/idp/changePwd.html |
Configure OpenIAM Authentication provider
The OpenIAM IdP must be configured to support the service provider. The step below describe this process.
- Login to the OpenIAM Webconsole
- Go to Access Control -> Authentication Provider -> Create new Provider
- Select
SAML IdPfrom the dropdown. This means that OpenIAM is acting as the IdP. - Complete the form as described in the table below
| Field Name | Description |
|---|---|
| Provider Name | Descriptive name that will help you identify this integration; ie. GSuite |
| Application URL | Refers to your GSuite tenant https://mail.google.com/a/[your gsuite domain] |
| Linked to Managed System | OpenIAM allows you to have a different identity for each application. This configuration indicates which identity should be used for this integration with GSuite. If you are using OpenIAM to also manage the user life cycle in GSuite, then you should select the 'GSuite Managed System'. |
| Assertion Consumer URL | Endpoint on the service provider where the IdP will "POST" its authentication response https://www.google.com/a/[your gsuite domain]/acs |
| Request Issuer | This is the URL of your service provider http://google.com/a/[your gsuite domain] |
| SAML Signed Requests | Enable this checkbox as its signs your requests. |
| Digest Algorithm | The SAML digest algorithm is part of the validation process to ensure the integrity of the request. Select SHA-256 from the dropdown |
| Signature Algorithm | Select http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 from the dropdown. |
| Sign Assertions | Enable this checkbox |
| Public key for validating signatures | Update the certificate created earlier. The certificate will be used for validating the signature. |
| Name ID Format | Select urn:oasis:name:tc:SAML:1.1:nameid-format:emailAddress |
| SLO Binding | Defines how the Single logout request should be exchanged. Select POST |
| Relay state strategy | URL that users will be directed to after a successful authentication using SAML. Select Default Relay State Strategy |
With the IdP / SP configuration complete, return the SAML configuration page and follow the steps to "Grant access to your application".